On 12 Apr 2016 6:10 p.m., "John Jasen" <jjasen@xxxxxxxxxxxxxxxxxx> wrote:
>
> Out of faint curiosity, how do we push change requests upstream to RHEL?
>
> I'm using puppet to automate systems, including the application of
> SELinux policy. While setsebool -P is non-damaging to repeat, it is time
> consuming -- taking about 45 seconds per execution to process the
> existing policy and re-commit to disk.
>
> I'd like a simple ability to put an unless in the execution of
> setsebool, to key off whether its necessary -- to reduce a SELinux
> puppet run from 250 seconds to about 60. Unfortunately, in the current
> format, getsebool has defeated me.
>
> Would it be possible to have getsebool extended, so something like
> getsebool -b $variablename would return true or false as the exit code?
>
>
I'd start with a feature request upstream, or in Fedora, and then request a
backport of that into RHEL after it is added.
For the purposes of your specific need can't you pipe getsebool to grep for
your unless to check if it's set?
For example:
unless => "/usr/sbin/getsebool httpd_can_network_connect | /usr/bin/grep on
&> /dev/null"
Incidentally one nice trick if you're dealing with potentially changing
multiple booleans and the policy compile time is to either skip -P and
understand it's not persistent so puppet needs to fix at boot, or passing
multiple booleans to setsebool at the same time so the compile only happens
once.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
